I would like to remind users to always use response.setEncodeURL(url) to encode the url just in case the client's browser does not eat cookies.

Generally, users want to invalidate sessions on logout. So they invalidate the session on the serverside. But do send back a cookie with MaxAge set to 0, so that lingering session cookies in the browser do not create problems in your servlet code.